Slashdot Mirror


Multiple Vulnerabilities in OpenSSL

gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."

12 of 274 comments (clear)

  1. before the trolls start... by contrasutra · · Score: 4, Insightful

    Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.

    Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

    Oh well, sometimes you just have to combat the trolls.

  2. Re:Non-Exploitable Security DOS Exploit by BlueCodeWarrior · · Score: 5, Insightful

    For those of us not on the FreeBSD mailing list, it is.

  3. Re:Non-Exploitable Security DOS Exploit by stratjakt · · Score: 5, Insightful

    It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.

    cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.

    --
    I don't need no instructions to know how to rock!!!!
  4. Re:Let's be like M$... by thedillybar · · Score: 4, Insightful
    They didn't tell anyone until a patch was available. Note that the vulnerability was announced Wednesday, and it included a link for the patch (openssl-0.9.7d) when it was released.

    It's fairly reasonable to assume that the developers knew of the vulnerability some time before the new version became available.

    I think it's good practice to do this if you can develop the new version fast enough. Announcing it early is only inviting someone to exploit it. I doubt anyone will fix the vulnerability themselves and put it into production before the official release comes out.

  5. Re:Non-Exploitable Security DOS Exploit by KidSock · · Score: 4, Insightful

    ...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.

    Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like ./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.

  6. Re:Why Is This Happening? by nathanhart · · Score: 3, Insightful

    Probally has something to do with many people being able to do code audits freely and of course submit their fix for it ;)

    --
    GeekLeak.com - Silly name, serious geeks
  7. Re:Non-Exploitable Security DOS Exploit by Sivar · · Score: 4, Insightful

    You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).
    One noteworthy difference, however, is that none of the BSD or GNU/Linux update methods tell the vendor the software (and their versions) that you run. To their credit, at least, none of them (including Microsoft) collect any actual personally identifiable information.

    --
    Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
  8. Yawn by ChiralSoftware · · Score: 4, Insightful
    I'm bored of these OpenSSL advisories. On and on they go. An unchecked null and an out-of-bounds read. Someday, people will realize that unsafe data (anything that comes in over the net) really can't be safely manipulated in a language like C. If OpenSSL had been implemented in Java, there types of errors couldn't exist, or if they did exist, they would throw exceptions which could be caught and handled in some reasonable way.

    Rule #1: Unsafe data should be handled in sandboxed languages.

    Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.

    I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.

    ------------
    Create a WAP server

    1. Re:Yawn by thogard · · Score: 3, Insightful

      Its a one line patch to get linux (2.2 and maybe 2.4 and maybe 2.6) to only let you open ports that equal a group your in. Its a simple fix but no one wants to do it. Even the standard /etc/groups aren't set up for this. Whatever listens to SMPT should be in group 25 and apache should be in groups 80 and 443. Then you don't need root to bind to the port and no other user can bind to the port either.

  9. advice on cvsup by puzzled · · Score: 3, Insightful


    There is a minimal cvsup config for FreeBSD 4.9 - cvsup -g -L 2 and you're off and running.

    *default host=cvsup6.FreeBSD.org
    *default base=/usr
    *default prefix=/usr
    # The following line is for 4-stable. If you want 3-stable or 2.2-stable,
    # change "RELENG_4" to "RELENG_3" or "RELENG_2_2" respectively.
    *default release=cvs tag=RELENG_4
    *default delete use-rel-suffix
    # If your network link is a T1 or faster, comment out the following line.
    *default compress
    src-all
    #ports-all tag=.

    make buildworld & make installworld install *world*, which does not include anything you built out of /usr/ports - portupgrade is what handles moving that stuff forward for you.

    FreeBSD *is* intimidating at first, but if you take the thirty days of pain at the end of that time you'll be looking at your Linux boxes and wondering why you ever put up with the chaos ...

    --
    I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
  10. Re:Non-Exploitable Security DOS Exploit by gad_zuki! · · Score: 4, Insightful

    >Honestly people, is this really /. front page news?

    Yes, lets just wait till some kiddie write a worm that crashes thousands servers all over the world and then post about it.

    I like that slashdot posts security problems. Why?

    1. For the lazy admin. Theres lot of them.

    2. because its important to keep reinforcing the idea that computers suck (I dont care what OS you like) and need constant care.

  11. C language is (also) to blame. by master_p · · Score: 3, Insightful

    A null-pointer assignment

    an out-of-bounds read

    Aside from the programmer's errors, if C was safer, both bugs would have already been caught a long time ago. C is clearly to blame here.